Configure Split DNS for a specific Host


Say I have and its hosted externally.
I add an exchange server and, I add an external record pointing to my server called and it points to my external IP.
I ALSO want to be able to access my server using the internal IP instead of going through my firewall and back in. (This is called split DNS)

Split DNS = I have 2 DNS zones, one external and one internal for the same domain.
The issue is that you have to manage both zones individually (even if you only need one specific host record)

And alternative method is to create a zone JUST for that one host name.

Here are the directions to create a domain and same as parent A record

  1. Open DNS on your DC, right click Forward Lookup Zone, and select  New Zone
  2. image
  3. image
  4. image
  5. image
  6. image
  7. image
  8. image
  9. image
  10. image
  11. image

Now you have split DNS for the single host name only.


Problem with Exchange MMC Snap-in after April 11\2011 updates.




We have seen a recent rash of issues with Exchange MMC after April 11 updates, this is due to a .net change in the latest updates.

This issue is very specific to a system with

  • .NET Framework 3.5 Service Pack 1
  • .NET Framework 2.0 Service Pack 2
  • Windows Vista Service Pack 2 or Windows Server 2008 Service Pack 2
  • April 11 windows updates. (Specifically 2449742 or 2446709)

This problem occurs when the broken version of Hotfix 979744 is installed on your computer, and when security update 2449742 or 2446709 (part of security bulletin MS11-028) is installed in the affected environments, this problem generates the issues that are described in the "Symptoms" section.

You can apply the fix here to resolve

Here is the KB that explains the issue

Troubleshooting CRL issues in a Exchange 2010 Lab

imageHere is the story, I was building a Lab so I could test Domain secure  connections between exchange 2010 Orgs. I issued a cert to both servers from a CA in domain 1, and imported CA root cert to the trusted roots of both servers. Then when I tried to activate services or use MTLS on my connectors I got the following error.

The Certificate Status Could not be determined Because the revocation check failed

Here are the steps I took (with a some help) and got my servers talking and CRL checking working.

  1. Verify that a CRL URL is published
    • Re-issue cert if needed
  2. Verify that the CRL URL can be accessed
  3. Clear the URL cache
    • certutil -urlcache crl delete
    • certutil -urlcache ocsp delete
  4. Check validity of the URLS in the cert
    • certutil -verify -urlfetch C:\foobar2.cer
  5. Clear and Force re-sync of cache
    • certutil -setreg chain\chaincacheresyncfiletime @now
  6. Clear and Force re-sync of cache and don’t use cache for 3 days
    • certutil -setreg chain\chaincacheresyncfiletime @now+3
  7. Installed and configured the 2008 Online Responder on my CA
  8. netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8080" bypass-list= "*"



Note: I finally I found that I had an issue with my TMG server when routing across it (even though it was supposed to not be filtered)
I moved my VM to the same networks (i.e. Both on 192.168.10.x) and then I was able to get it working…

Still need to figure out why TMG was breaking it, Conversely I did get it working with ISA 2006 without issue, I will update this post when I figure out the issue with TMG.

OWA 2007 Search only displays the first 100 results.

The default limit is 100 items in an Exchange 2007 OWA search, if you try to search for something that has more than 100 results it will only display the first 100.



Change the default search limit in OWA 2007

You can change this by modifying the the web.config

The default location is: C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\ web.config

Look for the following entry and adjust.

      <add key="MaximumIdentityArraySize" value="100" />


And adjust the values to whatever you want, but keep in mind that could have a performance impact on the CAS if there is high use of large queries

Getting Mailbox sizes

Remember the days when you could open ESM click on the mail store and see all the mailbox sizes? then you could sort them with a click and  know which users to go have a discussion with about mail usage? Where did that go in Exchange 2010\2007?

You can use powershell to gather all that info and export it to a CSV

Get-MailboxStatistics | sort-object totalitemsize -Descending  | select-object displayname, itemcount, totalitemsize | Export-Csv -path c:\mboxStats.csv

Or if you want the GUI back

Glen Scales Developed a very cool powershell script that gives you a GUI for mailbox sizes

Exchange 2010

Exchange 2007

My only gripe is that he thought of it first Smile

Great script man!

Cant upgrade an Address Policy after removing your 2003 exchange server.

When you try to update your address policy according to documentation  on your 2010 or 2007 Exchange:

Set-EmailAddressPolicy “Default Policy” –IncludedRecipients AllRecipients

You get the following error:
Set-EmailAddressPolicy : The recipient policy “Default Policy” with mailbox man
ager settings cannot be managed by the current version of Exchange Management C
onsole. Please use a management console with the same version as the object.
At line:1 char:23
+ Set-EmailAddressPolicy  <<<< “Default Policy” -IncludedRecipients AllRecipien

  1. Remove Mailbox manager from 2003
  2. Manually change the attrib of the Policy
    1. Start –> Run –> Adsiedit
    2. Right Click ADSI Edit –> Connect to –> Configuration
    3. image
    4. Expand Configuration Container [] –> CN=Configuration… –> CN=Services –>  CN=Microsoft Exchange –> CN=Your_Exchange_Org_Name Expand Recipient Policies
    5. image
      default policy -> properties
      MsExchPolicyOptionList value
    6. image
    7. Click Edit –> Edit
    8. image
    9. remove the MailBox Manager Policy hex Value
      • FC 1C 49 26 50 9E 57 48 86 1B 0C B8 DF 22 B5 D7 = Address List pol
      • EC 13 68 3B 89 CE BA 42 94 42 D8 7D 4A A3 0D BC = MailBox Manager Policy

MSExchange ADAccess Event ID’s 2601, 2604, 2501

communication brain_blogMSExchange ADAccess Event ID’s 2601, 2604, 2501

After a reboot of of Exchange 2010 server that resides on a Windows 2008 R2 server, the following events are logged in the Application Log

Log Name: Application
Source: MSExchange ADAccess
Level: Warning
Event ID: 2601

Log Name: Application
Source: MSExchange ADAccess
Event ID: 2604
Level: Error

Log Name: Application
Source: MSExchange ADAccess
Event ID: 2501
Level: Error

A NetLogon error of 5719 might also be seen in the Application Log.


While this article points out that this can be a normal occurrence it doesn’t explain why this is:

Today’s switches and NICs have advanced protocols that enable allot of really great functionality as well as stability, unfortunately many times that comes at the cost of negotiation time.

Here are some things you can do to remedy the issue

  1. Enable functions like “port Fast” on your switch
  2. Disable advanced functions on the switch (such as spanning tree)
  3. Disable advanced functions on the NICs.
  4. Delay the service startup (properties of the service –> startup type)
  5. Configure Recovery options on the properties of the service to force it to restart the service.
  6. In extreme cases you can make a service dependant on another service.

NOTE: disabling some services on a switch can put you at risk for things like network loops, so document your changes and weigh the pros and cons.